The Patch Window Closed Before It Opened
Two Tens, Both Already Running
Cisco's SD-WAN product, the branch-network fabric running inside most APAC financial services firms, shipped a CVSS 10 authentication bypass this week. CVSS 10 is the maximum score on the Common Vulnerability Scoring System, the threshold that triggers emergency patching requirements under most regulatory frameworks. Researchers confirmed the vulnerability was being actively exploited in production networks before Cisco's advisory was public. That sentence contains the word "authentication." That word names the layer the product is supposed to secure.
That this is the second maximum-severity bug in Cisco's SD-WAN family this calendar year is the context that shifts the reading. One CVSS 10 is an incident. Two in five months is a pattern. The MAS Technology Risk Management Guidelines, Singapore's binding technology risk framework for licensed financial institutions, require that critical vulnerabilities be remediated within defined windows. The window that matters here is the gap between "exploited in production" and "patch applied." For APAC bank branches running Cisco SD-WAN for headquarters connectivity, that gap this week is not a technical question. It is a compliance question with a known audit trail.
Developer Endpoints, Not Servers
The TanStack compromise that burned two OpenAI employee devices this week is not an irony, though it reads as one. TanStack is the JavaScript library family that includes React Query and React Table, underpinning significant portions of open-source AI tooling built on the OpenAI API. The attack vector was a poisoned package in the npm registry, the public repository delivering JavaScript dependencies to millions of developer environments worldwide. A developer ran an install command. The package executed. Credentials left the machine. This is MITRE ATT&CK T1195.001, the framework's designation for supply chain compromise of software dependencies, documented since 2020.
The gap is between the vendor claim and the mechanism. Software composition analysis tools scan for known-malicious package hashes and flag version pinning drift. npm audit, the registry's native vulnerability scanner, runs on published package metadata and does not inspect package behavior on execution. A package published legitimately and then modified passes both checks. The scanner doesn't catch it. The control the software composition analysis vendor sells does not stop the specific attack that burned the OpenAI devices. What access those devices had to OpenAI's production environment is not public.
Congress heard testimony this week that AI-assisted vulnerability discovery is finding zero-day vulnerabilities faster than enterprise patch cycles can absorb them. The claim is not contested. The MAS Technology Risk Management Guidelines and the HKMA Cybersecurity Fortification Initiative, the binding technology risk frameworks for Singapore and Hong Kong financial institutions respectively, were calibrated to a threat model that predates AI-assisted exploitation tooling at scale. The question neither framework has answered is which revision cycle closes that gap, and the Cisco exploitation record this calendar year is the evidence file waiting.